On 10/7/2024 12:50 PM, Brian J. Murrell wrote:
I have a burst/limit defined for a DNAT rule in a macro.SVCS file:
DNAT net $INT_PBX udp 5060 - - s:SIP:3/min
which I then call from my rules file with:
SVCS net -
But when I see what shorewall did with that in terms of iptables rules
I see this in the filter table:
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.75.22.8
udp dpt:5060 /* SVCS */
and this in the nat table:
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 limit: up to 3/min burst 5 mode srcip /* SVCS */
to:10.75.22.8
As you can see the burst/limit only applied to the nat table rule and
not the filter table rule.
Is this expected?
Yes - since connection requests must pass the DNAT rule prior to passing
the ACCEPT rule, applying the limit on both rules would be superfluous.
-Tom
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
